Hello everyone,
I've used extensively the configurations available at github by omega8cc and yhager. I've added a few things myself and I will share it on github soon.
One of the things I added is clickjacking protection through the X-Frame-Options header. This is supported in modern browsers and also on IE8. Mozilla Dev Center explanation of this header.
The best thing is to add in your server context:
add_header X-Frame-Options sameorigin;Replace sameorigin by deny to disable framing in all domains including your own.
There's also Strict Transport Security for SSL/TLS connections.
It forces the connection to be through HTTPS and disable any HTTP only requests. Paypal implements it on their HTTPS only site. Here's an example. Force HTTPS on all requests during 2 hours (7200 seconds).
add_header Strict-Transport-Security max-age = 7200;I really like the idea of using HTTPAuth to protect install.php and other Drupal sensitive files in yhager's configuration.